Mastra npm Supply Chain Attack: 140+ AI Framework Packages Backdoored

Official Sources

Last updated: June 17, 2026

If you use Mastra - the TypeScript AI agent framework - check your lockfile now. On June 17, 2026, attackers compromised 140+ packages in the @mastra/* npm scope and injected a remote access trojan that steals cryptocurrency wallets, browser data, and cloud credentials. The attack was active for approximately 88 minutes before detection, but the affected package versions may still be cached in your node_modules or CI pipelines.

This is not a theoretical risk. Mastra's @mastra/core package alone has over 918,000 weekly downloads. The framework is used for building AI agents that typically run in environments with access to LLM API keys, cloud provider credentials, and production databases - exactly the assets this malware targets.

What Happened: The Timeline

June 16, 2026, 07:05 UTC - npm user sergey2016 published easy-day-js@1.11.21, a clean clone of the legitimate dayjs date library. No malicious code at this point - just a typosquat waiting to be weaponized.

June 17, 2026, 01:15-02:36 UTC - Attackers used the compromised account ehindero - a legitimate former Mastra contributor whose npm scope access was never revoked - to publish 141 malicious versions across the @mastra/* namespace. Each new version added a single dependency to package.json:

"dependencies": {
  "easy-day-js": "^1.11.21"
}

June 17, 2026, ~02:40 UTC - easy-day-js was updated to version 1.11.22 with the actual payload: a postinstall hook that downloads and executes a Node.js remote access trojan.

Within 6 minutes - Socket's dependency analysis flagged the malicious easy-day-js and automatically blocked installs for protected users.

June 17, 2026 - npm pulled the malicious versions from the highest-profile packages and reverted their latest tags to clean versions.

How the Attack Works

The payload is a two-stage remote access trojan designed for persistence and data theft.

Stage 1: The Loader (setup.cjs)

When you run npm install on an affected @mastra/* version, npm's postinstall hook executes node setup.cjs --no-warnings. This script:

1. Disables TLS certificate validation
2. Beacons to a command-and-control server at 23.254.164.92:8000
3. Downloads the second-stage payload from 23.254.164.123:443
4. Executes the payload as a detached background process
5. Deletes itself to remove evidence

This all happens automatically during npm install, before you import any code.

Stage 2: The Implant (protocal.cjs)

The second stage is a 41KB cross-platform Node.js implant that:

• Installs persistence across all operating systems:
  • Windows: Run registry key
  • macOS: LaunchAgent plist
  • Linux: systemd user service
• Inventories 166 cryptocurrency wallet extensions including MetaMask, Phantom, Coinbase Wallet, and Trust Wallet
• Extracts browser history and stored data from Chrome, Edge, and Brave
• Collects host reconnaissance including hostname, username, installed software
• Establishes C2 tasking for arbitrary follow-on code execution

The persistence means the malware survives reboots and continues operating even after you remove the npm packages.

Am I Affected?

Check your lockfile for any easy-day-js dependency or any @mastra/* package versions published between June 17, 2026 01:15 UTC and the npm takedown.

# Check for easy-day-js anywhere in your lockfile
grep -r "easy-day-js" package-lock.json pnpm-lock.yaml yarn.lock 2>/dev/null

# Check for recent @mastra/* installs
npm ls | grep "@mastra" 2>/dev/null

If you find easy-day-js in your dependency tree, assume the machine is compromised.

High-Risk Scenarios

You are at higher risk if you:

• Installed or updated any @mastra/* package on June 17, 2026
• Run Mastra agents in CI/CD environments with cloud credentials
• Store LLM API keys (OpenAI, Anthropic, etc.) in environment variables on affected machines
• Have cryptocurrency wallet extensions installed in any browser on the affected system
• Run Mastra in development environments alongside production credential access

Immediate Remediation

If you installed an affected version, treat the machine as compromised. This is not overcautious - the malware is specifically designed to persist and exfiltrate credentials silently.

1. Remove the Persistence Mechanism

macOS:

rm -f ~/Library/LaunchAgents/com.*.plist
launchctl list | grep -i "com\." | xargs -I {} launchctl remove {}

Linux:

rm -f ~/.config/systemd/user/*.service
systemctl --user daemon-reload

Windows (PowerShell as admin):

Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "*suspicious*"

2. Rotate All Credentials

Assume exfiltration. Rotate immediately:

• npm tokens: npm token revoke
• GitHub tokens and SSH keys
• Cloud provider credentials (AWS, GCP, Azure)
• LLM API keys (OpenAI, Anthropic, Google AI)
• Any secrets in environment variables or .env files

3. Check Cryptocurrency Wallets

If you have any crypto wallet browser extensions installed:

• Transfer funds to a new wallet generated on a clean device
• Use a fresh seed phrase - do not reuse the compromised one
• Assume any wallet that was active in the browser is compromised

4. Clean Your Node Modules

rm -rf node_modules package-lock.json
npm cache clean --force
npm install --ignore-scripts  # Install without running postinstall hooks

Then verify your lockfile contains no easy-day-js before allowing scripts to run.

Prevention: Lockfile Hygiene for AI Developers

This attack highlights a pattern that will keep repeating: AI agent frameworks run with elevated privileges and extensive credential access. They are high-value targets.

Install with --ignore-scripts by Default

npm config set ignore-scripts true

This breaks some legitimate packages that need postinstall hooks (like esbuild or sharp), but it also breaks supply chain attacks. You can allowlist specific packages that genuinely need postinstall execution.

Use Lockfile Auditing

Tools like Socket, Snyk, and npm audit catch many supply chain attacks. Socket specifically flagged this attack within 6 minutes of the malicious payload going live.

Audit Contributor Access

The ehindero account was a former contributor whose access was never revoked. This is the most common path for scope takeover attacks. Review who has publish access to your npm packages quarterly.

Pin Dependencies

Avoid ^ and ~ ranges for critical dependencies. A pinned version in your lockfile would not have automatically pulled the malicious update.

What This Means for AI Agent Security

Mastra is not uniquely vulnerable - it just happened to be the target this time. Every AI agent framework that installs via npm (LangChain, Vercel AI SDK, CrewAI, etc.) has the same attack surface: postinstall hooks that run automatically during npm install.

The uncomfortable truth is that AI agent development environments are among the most valuable targets for supply chain attacks. They typically have:

• API keys for multiple LLM providers
• Cloud credentials for deployment
• Access to production data for testing
• Long-running processes with network access

If you are building AI agents, you need to treat your development environment with the same security posture as a production server. That means:

• Isolated environments for untrusted dependencies
• Credential rotation on a schedule, not just when incidents happen
• Dependency scanning in CI that fails builds on known-malicious packages
• Principle of least privilege for API keys and cloud access

FAQ

What is the Mastra npm supply chain attack?

On June 17, 2026, attackers compromised 140+ npm packages in the @mastra/* scope by hijacking a dormant contributor account. They injected a dependency on a typosquatted package (easy-day-js) that downloads and executes a remote access trojan during npm install. The malware steals cryptocurrency wallets, browser data, and cloud credentials.

How do I check if I am affected?

Search your lockfile for easy-day-js: grep -r "easy-day-js" package-lock.json. If present, assume the machine is compromised. Also check for any @mastra/* packages updated on June 17, 2026.

What credentials should I rotate?

Rotate npm tokens, GitHub tokens, cloud provider credentials (AWS/GCP/Azure keys), LLM API keys (OpenAI, Anthropic), and any secrets stored in environment variables. For cryptocurrency, transfer funds to a new wallet with a fresh seed phrase generated on a clean device.

How long was the attack active?

The malicious packages were published between 01:15 and 02:36 UTC on June 17, 2026 - approximately 88 minutes. Socket detected the attack within 6 minutes of the payload activation. However, affected package versions may still exist in cached node_modules or CI artifacts.

Is Mastra safe to use now?

npm has reverted the latest tags to clean versions. However, you should verify your lockfile contains no easy-day-js dependency and that your installed versions are from before June 17, 2026 or after the npm takedown.

How do I remove the malware persistence?

The malware installs persistence mechanisms specific to each OS: LaunchAgents on macOS, systemd user services on Linux, and Run registry keys on Windows. See the remediation section above for removal commands.

How was the contributor account compromised?

The attacker used the npm account ehindero, described as a former Mastra contributor whose scope access was never revoked. The exact compromise method (credential reuse, phishing, etc.) has not been publicly disclosed.

Why are AI agent frameworks targeted?

AI agent frameworks run in development environments with access to LLM API keys, cloud credentials, and often production data. They are high-value targets because a single compromised package can harvest credentials for multiple cloud services, payment processors, and AI providers.

Sources

• Socket Security: Mastra npm packages compromised - Technical disclosure, June 17, 2026
• The Hacker News: 144 Mastra npm Packages Compromised - News coverage, June 17, 2026
• StepSecurity: Mastra npm Packages Compromised Using easy-day-js - Advisory, June 17, 2026
• SafeDep: Mastra npm Scope Takeover - Analysis, June 17, 2026
• Mend: Mastra npm Scope Takeover - Enterprise guidance, June 17, 2026